ISO 45001 Clause 4.3: Determining the Scope of Your OH&S Management System

Q: What must an ISO 45001 scope statement contain?

The scope statement must describe: (1) the physical and organizational boundaries of the OH&S management system, (2) the types of work activities and worker groups covered, (3) any exclusions and their justification, and (4) a declaration that the organization intends to achieve the intended outcomes of ISO 45001. It must be available as documented information and communicated to interested parties.

Q: Does Clause 4.3 require the scope to cover contractors working on site?

Not necessarily as members of the OH&S management system, but ISO 45001 requires that hazards posed by and to contractors be addressed. Under Clause 8.1.4, organizations must manage the OH&S risks associated with contractors working on their premises or under their control. Whether contractors are named within the scope statement depends on the nature of the relationship and the degree of control the organization exercises over their work.

Last updated: 2026-04-11

When organizations begin building an ISO 45001 OH&S management system, the scope is often treated as a formality — a one-sentence description that gets written once, filed away, and forgotten. That is exactly the wrong way to approach ISO 45001 Clause 4.3: Determining the Scope of the OH&S Management System.

The scope is the foundation on which your entire occupational health and safety program rests. It defines who is protected, where the system applies, what activities it governs, and — crucially — what boundaries constrain it. Get it wrong, and you will face a cascade of downstream problems: certification nonconformances, gaps in worker protection, disputes about what the audit covers, and management system elements that don't align with operational reality.

This guide covers everything practitioners need to know about ISO 45001 Clause 4.3: what the clause requires, how it connects to Clauses 4.1 and 4.2, how to define physical and organizational boundaries, what "authority and ability to control or influence" means in practice, when excluding activities or sites is legitimate, and what a well-written scope statement looks like. I'll also walk through the most common nonconformities and what third-party auditors specifically look for.

What ISO 45001 Clause 4.3 Actually Requires

The clause text in ISO 45001:2018 reads:

"The organization shall determine the boundaries and applicability of the OH&S management system to establish its scope. When determining this scope, the organization shall: a) consider the external and internal issues referred to in 4.1; b) take into account the requirements referred to in 4.2; c) take into account the planned or performed work-related activities. The scope shall be available as documented information."

There is also a note that clarifies one significant constraint:

"The OH&S management system can include the whole organization or specific parts of the organization, provided that the top management of the part of the organization has authority and ability to establish, implement, maintain and continually improve an OH&S management system."

That phrase — authority and ability to establish, implement, maintain and continually improve — is the governing test for scope decisions. Every boundary decision, every potential exclusion, must pass through that test. If the part of the organization being considered lacks the autonomy to run its own OH&S management system, you cannot scope it separately. It must be included in a broader system or excluded on defensible grounds.

The Clause 4.1 / 4.2 / 4.3 Trilogy: Why Sequence Matters

Clause 4.3 does not exist in isolation. It is the third step in a deliberate sequence that the standard calls "Context of the Organization," and you cannot do it well without first completing the prior two steps.

How Clause 4.1 Feeds Clause 4.3

Clause 4.1 requires you to identify the internal and external issues that affect your organization's ability to achieve its OH&S management system outcomes. These issues directly inform your scope decisions. For example:

If you identify that your organization operates across multiple regulatory jurisdictions, your scope must either address each jurisdiction or explicitly explain why certain locations are excluded.
If internal issues include a recent acquisition of a subsidiary with different safety culture and infrastructure, the scope decision becomes: include the subsidiary now, or phase it in under a documented plan?
If you identify a hazardous work environment at one facility but not others, that facility's OH&S risk profile argues for its inclusion — excluding it purely for convenience would likely fail audit scrutiny.

How Clause 4.2 Feeds Clause 4.3

Clause 4.2 requires you to identify interested parties — workers, contractors, regulators, customers, community members — and understand their needs and expectations. Your scope decisions must account for these parties:

If workers at a specific facility have expressed safety concerns that are already on record, excluding that facility from the scope would be difficult to defend.
If a major customer contractually requires ISO 45001 certification to cover all production activities, your scope must reflect that requirement.
If regulatory authorities hold you responsible for worker safety at an off-site location, that location belongs in scope.

The sequence matters because auditors will walk backward from your scope statement through your context and interested party analyses to verify that the scope is grounded in organizational reality — not shaped by a desire to minimize audit burden.

Understanding Boundaries: Physical and Organizational

One of the most practical challenges in Clause 4.3 is understanding that "boundaries" has two distinct dimensions: physical and organizational. Both must be addressed in your scope determination.

Physical Boundaries

Physical boundaries define the geographic locations and facilities covered by the OH&S management system. These might include:

A single manufacturing plant at one address
Multiple facilities across different cities, states, or countries
Mobile worksites (construction sites, field service operations)
Remote work locations where workers operate from home
Shared facilities where the organization does not control the physical premises
Temporary worksites such as trade show locations, client facilities, or off-site project work

Physical boundaries require specificity. A scope statement that says "all company locations" is less defensible than one that names the locations. During a certification audit, the auditor's sampling plan will be based on your stated boundaries — if boundaries are vague, the auditor has discretion to interpret broadly, which may catch you off guard.

Organizational Boundaries

Organizational boundaries define which functions, business units, departments, or legal entities fall within the system. This is where multi-entity organizations must think carefully:

Does the scope cover only the parent company, or also subsidiaries?
Are specific business divisions included while others are not?
Are temporary staff, contractors, or agency workers included within the system's coverage?
Does the system extend to joint ventures where your organization is a minority partner?

The note in Clause 4.3 allows a portion of the organization to have its own OH&S management system — but only if that portion's top management has genuine authority and ability to run the system independently. A subsidiary that must get approval from a parent company for safety budget decisions or policy changes likely does not have sufficient authority to run a truly independent OH&SMS.

Authority and Ability to Control or Influence: What This Means in Practice

The phrase "authority and ability to control or influence" appears in both the clause note and throughout the broader standard, and it carries real weight in scope determination. Let me be direct about what it means operationally.

Authority means the legal and organizational power to make decisions. An organization has authority over its own employees' work conditions. It has authority over the equipment it owns. It has authority over the procedures it writes and enforces. It does not have authority over a landlord's building maintenance — but it may be able to contractually require certain safety standards.

Ability to influence is a broader concept. Even where you lack direct authority, you may have the ability to influence OH&S outcomes through contracts, supplier requirements, purchasing decisions, or operational protocols. The question is not whether influence is perfect — it is whether you have a meaningful lever.

Practically, this plays out in several common scenarios:

Contractor workers on your premises: You have both authority (you control the site) and influence (you can mandate safety rules as a condition of access). They belong in your scope for purposes of hazard identification under Clause 6.1.2, even if they aren't listed as employees.
Workers at a client's facility: You may have limited authority over the physical site but retain authority over your workers' conduct and PPE requirements. Your scope should address what you control.
Remote employees working from home: You do not control their home environment, but you have authority over their work assignments, work hours, equipment provided, and ergonomic guidance. Scope inclusion with defined applicability is the appropriate approach.
A recently acquired subsidiary: Until integration is complete and your management systems are aligned, the subsidiary may need a transitional scope arrangement — but the timeline for full integration should be documented.

ISO 45001 Clause 4.3 Scope Determination: Step by Step

Here is the methodology I use with clients at Certify Consulting to produce scope statements that hold up under audit scrutiny.

Step 1: Gather Your Clause 4.1 and 4.2 Outputs

Pull the documented results of your context analysis and interested party analysis. These are not just inputs — they are evidence. The scope must be traceable to these analyses. Any external or internal issue that has material OH&S implications argues for the affected area's inclusion in scope.

Step 2: Inventory All Physical Locations and Work Activities

Create a complete list of every location where work is performed and every category of work activity conducted. Include:

All fixed facilities (owned or leased)
Mobile and field operations
Remote and home-based work
Temporary worksites
Routine and non-routine activities at each location

This inventory becomes the raw material for your scope statement. It also serves as the foundation for hazard identification under Clause 6.1.2.

Step 3: Map Organizational Entities and Authority Structures

Document your organizational structure — legal entities, reporting lines, management hierarchy, and decision-making authority over safety matters. Where multiple entities exist, identify which management teams have genuine authority over OH&S decisions.

Step 4: Assess Each Location and Entity Against the Authority and Ability Test

For each location and organizational unit, ask:

Does top management at this location have authority to set OH&S policy?
Does top management at this location control safety budget and resource allocation?
Does top management at this location have authority to implement and enforce OH&S procedures?
Is this location's OH&S risk profile material to the organization's overall worker safety outcomes?
Are there interested parties — workers, regulators, customers — who expect this location to be covered?

If the answers to questions 1-3 are yes, the location can potentially have its own scope. If the answers suggest it lacks autonomy, it should be within a broader scope or included in the parent organization's system.

Step 5: Determine Inclusions and Justified Exclusions

With the inventory and authority mapping complete, make deliberate decisions about what is in scope and what is out. For any exclusion, document the specific justification. Acceptable justifications include:

No workers are assigned to or perform work at that location
The organization has no authority or ability to influence OH&S at that location
A separate, standalone OH&SMS exists for that entity with its own certification

Unacceptable justifications include:

The location has a poor safety record and would be difficult to certify
The site has not yet implemented the required procedures
Management at that site is resistant to the OH&SMS process

Step 6: Draft the Scope Statement

Write the scope statement. Then review it against this checklist:

Does it specify the physical locations covered?
Does it specify the organizational units or functions covered?
Does it describe the types of work activities covered?
Does it identify worker groups covered (employees, contractors, etc.)?
Does it address any exclusions and their basis?
Is it clear enough that an external auditor could determine, upon arrival at any facility, whether they are within scope?

What the Scope Document Must Contain: Documented Information Requirements

Clause 4.3 contains one of the few explicit documented information requirements in ISO 45001: "The scope shall be available as documented information." This means the scope statement is a mandatory controlled document. It must be:

Written and maintained — not something that exists only in someone's head or in meeting notes
Version controlled — changes to scope must be tracked, with the date of change and the reason for the change
Accessible to relevant interested parties — workers, management, auditors, and other parties who need to understand what the system covers
Reviewed and updated when organizational changes occur — scope drift (where the actual business has changed but the scope statement has not been updated) is a recurring audit finding

The scope statement does not need to be lengthy. A focused, specific two-to-three paragraph document is far preferable to a vague five-page document. Clarity and specificity are the measures of a good scope statement, not volume.

Practical Example: Scope Statement for a Mid-Size Manufacturing Company

To make this concrete, here is what a well-constructed scope statement looks like for a real-world scenario: a mid-size manufacturing company with 280 employees across two production facilities and a corporate headquarters.

OH&S Management System Scope Statement — Acme Components LLC

Acme Components LLC's Occupational Health and Safety Management System encompasses all operations conducted at the following locations: (1) Corporate Headquarters, 1200 Industrial Pkwy, San Diego, CA 92101; (2) Manufacturing Facility A, 4500 Production Drive, El Cajon, CA 92020; (3) Manufacturing Facility B, 780 Commerce Way, Chula Vista, CA 91911.

The OH&SMS covers all work activities performed by Acme Components employees, including administrative, engineering, production, maintenance, shipping and receiving, and quality functions. It also addresses the OH&S risks associated with contracted maintenance and construction workers operating on company premises under Acme's operational control, in accordance with Clause 8.1.4.

The system does not extend to the operations of Acme's third-party logistics provider, Fastway Distribution Inc., who operates from their own premises under their own management authority. Acme's influence over Fastway's operations is limited to contractual delivery requirements and does not include the ability to implement or enforce OH&S procedures at Fastway's facility.

Acme's OH&SMS is designed to achieve the prevention of work-related injury and ill health, the provision of safe and healthy workplaces, and the continual improvement of OH&S performance. Senior management at all three locations has full authority to establish, implement, maintain, and improve the system.

Notice what this scope statement does well: it names specific locations, describes the worker groups covered, explicitly addresses contractors and explains how, documents a specific exclusion with a clear justification, and connects back to the intended outcomes of ISO 45001 certification. An auditor reviewing this statement knows exactly what they are certifying and why the exclusion is legitimate.

When Excluding Sites or Activities Is Valid

Scope exclusions are legitimate — ISO 45001 explicitly contemplates them. But the standard does not give organizations a free pass to exclude whatever is inconvenient. Here are the scenarios where exclusions hold up under audit scrutiny, and where they do not.

Legitimate Exclusion Scenarios

No workers present: A warehouse that has been fully automated with no human operators does not require worker protection controls in the traditional sense. If no workers perform activities there, exclusion is defensible — though you must still address any hazards posed to workers who may enter the space for maintenance.
Independent management authority: A legally separate subsidiary with its own management team, its own board, its own safety budget, and its own regulatory relationship legitimately operates its own OH&SMS. Document the independence clearly.
No control or influence: An organization that places workers at a client's facility where the client controls all physical conditions and procedural requirements may have limited ability to influence OH&S outcomes at that location. Even then, the organization typically retains authority over its workers' conduct — so exclusion must be carefully reasoned.
Temporary transitional exclusion during acquisition integration: When an organization acquires a new entity and is actively integrating it into the OH&SMS, a documented transition plan with a defined timeline is acceptable during a surveillance cycle. It is not an indefinite exclusion.

Exclusions That Will Not Survive Audit

Excluding a site because it has a high incident rate and would be difficult to certify
Excluding a function (like maintenance) because procedures haven't been written yet
Excluding remote workers because tracking their compliance is inconvenient
Excluding a shift or worker category because they were overlooked during planning
Excluding contractors who work on your premises daily because they are "not your employees"

The test is always the same: can the exclusion be justified by the absence of genuine authority or ability to control? If the real reason is operational inconvenience or compliance difficulty, auditors will find it.

How the Scope Connects to Downstream Clauses

The scope defined in Clause 4.3 is not just a statement on paper — it is a boundary condition that shapes virtually every subsequent element of the OH&S management system.

Clause 6.1.2 (Hazard Identification): Hazard identification must cover all locations and activities within the scope. If the scope says "all three facilities," hazard identification cannot be conducted only at the main plant.
Clause 6.1.3 (Legal Requirements): Legal requirements must be identified for all jurisdictions in which scoped activities occur. A scope that includes facilities in multiple states triggers compliance obligations across all relevant state OSHA plans.
Clause 7.2 (Competence): Competence requirements apply to workers performing in-scope activities. The scope defines who falls within that requirement.
Clause 7.4 (Communication): Internal communication requirements extend to all workers within the scope. Remote workers and contractors on site must be included in communication plans if they are within scope.
Clause 8.1 (Operational Planning and Control): Operational controls are required for all in-scope activities. A scope change that adds a new activity triggers a requirement to assess and control OH&S risks for that activity.
Clause 9.2 (Internal Audit): The internal audit program must cover all areas within the scope. Auditing only some of the scoped locations is a nonconformity.
Clause 9.3 (Management Review): Management reviews must encompass the performance of all in-scope operations. Selective reporting that excludes underperforming sites creates audit exposure.

This interconnection is why scope errors are so costly. A scope that is either too narrow (missing real OH&S risks) or poorly defined (vague about what is included) creates downstream gaps that compound across the entire management system.

Auditor Expectations During Certification Audits

Based on my work supporting organizations through ISO 45001 certification audits with a 100% first-time pass rate, here is what third-party auditors specifically examine when reviewing Clause 4.3 compliance.

Stage 1 Audit (Document Review)

At Stage 1, the auditor will review your scope statement and cross-reference it against:

Your Clause 4.1 context analysis — does the scope reflect the issues identified?
Your Clause 4.2 interested parties analysis — does the scope address the parties and their expectations?
Your organizational structure documents — do the entities and locations match?
Any exclusions — are they documented and justifiable on their face?

A common Stage 1 finding is a scope statement that is too vague to audit against. If the auditor cannot determine from the scope document which sites are in scope, they will raise it as a concern before Stage 2.

Stage 2 Audit (On-Site Verification)

At Stage 2, the auditor will verify that the system in practice matches the scope on paper. Key checks include:

Are all scoped locations actually operating under the OH&SMS?
Are workers at all scoped locations aware of the OH&SMS and their roles in it?
Has hazard identification been conducted at all scoped locations?
Are internal audit records available for all scoped areas?
If contractors are mentioned in the scope, is there evidence of contractor OH&S management (Clause 8.1.4)?

One specific area auditors probe is the boundary between in-scope and out-of-scope areas. If your scope includes "all manufacturing operations" but excludes "the on-site logistics function," the auditor will examine whether that boundary is coherent — for example, whether logistics workers move between the two areas and how OH&S controls apply when they do.

Common Clause 4.3 Nonconformities

Here are the scope-related nonconformities I encounter most frequently across client engagements:

Nonconformity	Root Cause	Corrective Action
Scope statement does not name specific locations	Generic drafting without reviewing actual operations	Revise scope to list all specific facilities by address and function
Scope excludes a site that management clearly controls	Attempting to reduce audit burden	Add the site to scope; conduct hazard identification and integrate into the OH&SMS
Scope does not mention contractors who work on-site daily	Misunderstanding of who the system must address	Revise scope to acknowledge contractor management obligations per Clause 8.1.4
Scope statement has not been updated after organizational changes	No trigger in the management of change process	Add scope review to the MOC procedure and management review agenda
Exclusions are not documented or justified	Scope was drafted without formal analysis	Document each exclusion with its specific justification tied to authority/ability test
Remote workers are absent from the scope despite performing in-scope work	Out-of-sight, out-of-mind approach to scope	Explicitly address remote workers; define controls applicable to their work environment
Internal audit program does not cover all scoped sites	Scope and audit program managed separately without cross-reference	Align audit schedule to scope; verify all locations receive periodic internal audits

How Scope Changes Affect Your ISO 45001 Certification

Once certified, changes to your OH&S management system scope are not trivial. Your certification body must be informed when the scope changes materially, and some changes will trigger additional audit activity.

Scope expansions — adding a new facility, a new product line, a new worker category — will typically require a scope extension audit or assessment. The certification body needs to verify that the new area has been integrated into the OH&SMS before amending the certificate.

Scope reductions — removing a site you are divesting, closing a facility — are generally less audit-intensive but still require documentation and notification. The certificate scope must reflect current organizational reality, not historical reality.

Organizations that undergo significant restructuring without updating their scope documents create audit exposure at surveillance audits. Auditors will identify when the documented scope no longer matches the organization being audited, and the finding will typically be elevated given that scope is a foundational element of the entire system.

For organizations implementing ISO 45001 alongside ISO 9001:2015 or ISO 14001:2015, the scope documents for each standard should be aligned — organizations often maintain an integrated scope statement that serves all three management systems, with system-specific elements called out where needed. This reduces documentation burden and makes integrated audits more efficient.

Conclusion: The Scope Is Your Commitment, Not Just Your Boundary

ISO 45001 Clause 4.3: Determining the Scope of the OH&S Management System is where your organization makes a public commitment — to workers, to regulators, to certification bodies, and to the market — about who and what your occupational health and safety management system protects. Every other clause in the standard is calibrated against that commitment.

A scope statement that is vague, incomplete, or strategically crafted to minimize audit burden creates systemic fragility. Workers in un-scoped areas receive no protection. Auditors identify gaps. Regulatory authorities may question whether the certified scope reflects real operational conditions. And when an incident occurs, the question of whether the affected area was within the OH&SMS scope becomes suddenly and painfully important.

Get the scope right. Ground it in your Clause 4.1 context analysis and your Clause 4.2 interested party analysis. Be specific about physical boundaries and organizational limits. Document every exclusion with a defensible justification. Then make sure the rest of your OH&SMS delivers on the scope you have committed to.

At Certify Consulting, we've supported over 200 organizations through ISO 45001 certification, and scope determination is always one of the first conversations we have — because every decision that follows depends on getting it right. If you are working through your scope determination or preparing for a first-time or recertification audit, visit certify.consulting to learn how we can help.

Frequently Asked Questions: ISO 45001 Clause 4.3 Scope

Can an organization exclude a site or legal entity from the scope of its ISO 45001 OH&S management system?

Yes, but only under specific conditions. ISO 45001:2018 Clause 4.3 permits exclusions of sites, functions, or activities where the organization has no authority or ability to control or influence them. The exclusion must be documented and justified. Auditors will scrutinize any exclusion closely — excluding an area primarily to avoid a difficult compliance challenge is not a valid basis. The legitimacy of any exclusion depends entirely on the genuine absence of control or influence.

What must an ISO 45001 scope statement contain?

The scope statement must describe: (1) the physical boundaries of the OH&S management system — specific locations covered; (2) the organizational boundaries — which functions, entities, or divisions are covered; (3) the types of work activities and worker groups covered; (4) any exclusions and their specific justification; and (5) a clear statement that the organization intends to achieve the intended outcomes of ISO 45001. It must be maintained as documented information and communicated to interested parties.

How does the scope of the OH&S management system connect to the ISO 45001 certification scope?

They are directly linked. Your ISO 45001 certification certificate will reflect the scope of your OH&S management system as defined in Clause 4.3. The certification body is certifying that the system described in your scope statement conforms to ISO 45001:2018. If you later change your scope — by adding a site or new activity — you must notify the certification body and may trigger a scope extension audit.

Does Clause 4.3 require the scope to cover contractors working on site?

Not necessarily as members of the OH&SMS organization, but ISO 45001 requires that hazards posed by and to contractors be addressed. Under Clause 8.1.4, organizations must manage the OH&S risks associated with contractors working on their premises or under their control. Whether contractors are named within the scope statement depends on the nature of the relationship and the degree of control the organization exercises. In practice, contractors who work on your premises regularly under your operational control should be addressed in the scope, even if indirectly.

How often should the scope be reviewed?

ISO 45001 does not specify a review frequency for the scope document, but best practice is to review it as part of the annual management review process under Clause 9.3 and whenever significant organizational changes occur — such as acquiring a new facility, adding a new service line, divesting a business unit, or significant workforce restructuring. An outdated scope that no longer reflects operational reality is a common and easily preventable audit finding.

Last updated: 2026-04-11

Jared Clark, JD, MBA, PMP, CMQ-OE, CQA, CPGP, RAC is the Principal Consultant at Certify Consulting, with 8+ years of experience and a 100% first-time audit pass rate across 200+ client engagements.